Audit: State at ‘high risk’ of cyber attack

The state’s computer systems are at “high risk” of online attack, and a cyber security firm hired to secretly hack into agencies’ systems easily gained access to thousands of documents containing Coloradans’ sensitive personal information, an audit released today revealed.

The audit, conducted from February through November, found that 12 of 20 agencies had failed to submit plans outlining their computer system security measures to the state’s Office of Cyber Security as required by law. And while there had been 43 cyber security incidents reported to the office since 2006, auditors believed the number was higher, noting that some known incidents had not been reported.

Most alarming to lawmakers on the Legislative Audit Committee[1] was the result of a “covert penetration test” done by a private security firm on state agencies.

“We conducted a penetration test of public agencies and found significant vulnerabilities throughout state government that allowed the assessment team to compromise thousands of records containing individuals’ confidential information, such as social security numbers, birth dates, and income levels,” auditors reported. “The assessment team also compromised several state networks and systems and identified hundreds of vulnerabilities in state systems.

“Based on the results of our penetration test, prior information technology audits, and our review of the implementation of the Colorado Cyber Security Program[2] during this audit, we concluded that the Office of Cyber Security has failed to successfully implement the Colorado Cyber Security Program[2], as specified by statute.”